Sequelize — CVE history (npm)
Sequelize
14 CVEs affect the Sequelize npm package (highest CVSS 10.0). Latest disclosed: 2026-03-10. Full CVE history sourced from NVD.
Summary
- Package
Sequelize(npm)- Total CVEs
14- Actively exploited (CISA KEV)
- 0
- Highest CVSS
10.0- Latest disclosed
- 2026-03-10
Recent CVEs (top 14)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-30951 | High | 7.5 | — | 2026-03-10 | Sequelize is a Node.js ORM tool. |
CVE-2023-25813 | Critical | 10.0 | — | 2023-02-22 | Sequelize is a Node.js ORM tool. |
CVE-2023-22580 | Medium | 5.3 | — | 2023-02-16 | Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. |
CVE-2023-22579 | Critical | 9.9 | — | 2023-02-16 | Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. |
CVE-2023-22578 | Critical | 10.0 | — | 2023-02-16 | Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. |
CVE-2019-10749 | Critical | 9.8 | — | 2019-10-29 | sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. |
CVE-2019-10748 | Critical | 9.8 | — | 2019-10-29 | Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. |
CVE-2019-10752 | Critical | 9.8 | — | 2019-10-17 | Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. |
CVE-2019-11069 | High | 7.5 | — | 2019-04-10 | Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. |
CVE-2016-10554 | Critical | 9.8 | — | 2018-05-31 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. |
CVE-2016-10553 | Critical | 9.8 | — | 2018-05-31 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. |
CVE-2016-10550 | Critical | 9.8 | — | 2018-05-31 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious u… |
CVE-2016-10556 | High | 7.5 | — | 2018-05-29 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where ar… |
CVE-2015-1369 | — | — | — | 2015-01-27 | SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-25813 | Critical | 10.0 | — | 2023-02-22 | Sequelize is a Node.js ORM tool. |
CVE-2023-22578 | Critical | 10.0 | — | 2023-02-16 | Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. |
CVE-2023-22579 | Critical | 9.9 | — | 2023-02-16 | Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. |
CVE-2019-10749 | Critical | 9.8 | — | 2019-10-29 | sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. |
CVE-2019-10748 | Critical | 9.8 | — | 2019-10-29 | Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. |
CVE-2019-10752 | Critical | 9.8 | — | 2019-10-17 | Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. |
CVE-2016-10554 | Critical | 9.8 | — | 2018-05-31 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. |
CVE-2016-10553 | Critical | 9.8 | — | 2018-05-31 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. |
CVE-2016-10550 | Critical | 9.8 | — | 2018-05-31 | sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious u… |
CVE-2026-30951 | High | 7.5 | — | 2026-03-10 | Sequelize is a Node.js ORM tool. |